Video Transcription

00:00
All right. Welcome to handling bit Locker and fire. All file vault to encrypted drives with elementary and mount image Pro. That's gonna be a lot of fun.
00:09
I'm gonna show you some difficult ways in future courses, but
00:13
for now, we're gonna keep it slow, slow and simple. Fast and simple, maybe. Um, all right. So moving right along. I promise you would go ahead and decrypt these things, and I like to keep my promises.
00:23
So next up here we have Mount image Pro produced by get data out of Australia. Nice company. They also have a tool called forensic explore, which my good friend, blazer, cats, and
00:37
CEO of ah, of cats and forensics told me, Does a a far better job parsing out the MF T records and any other tool we'd ever seen. So and Blazer
00:49
Laser spends a lot of time looking at tools. I'll trust him on that one. I have not used a recent version of their forensic explore, but I have heard good things about it, and I intend to make sure we do a course on that. In the future,
01:00
you're gonna need to get version seven plus so 7.1, I think some 0.12 or something. Like, as is the current seven version of Mount Image Pro. Um
01:12
so Dr Shatz down there at the bottom, the guy behind the ever Metreon and one of the authors of FF four has been good to be working with the folks that get data to incorporate FF for recognition of the forensic images directly into their tool.
01:30
Eso You can just go directly from image to mounting.
01:34
We noticed. In the latest version, there's a little bit of a ah
01:40
problem with the handling of FF four images of bit locker encrypted images I've already reached out to, ah to get data sent in support tickets that in, you know, all the technical stuff, things like that. I'm sure they'll have it. Uh, probably fixed before this course makes it online. But
01:59
but just in case I'm going to show you the slight work around that will have to do here. Teoh, Go ahead, decrypt a, uh,
02:07
a bit locker encrypted image, but you know it will be working. Has full support for FF images and a PFS images all integrated into one. Um, for Mac using foul ball to all you news. That admin password. And for a windows bit locker volume, all you need is the 48 digit recovery password for that
02:27
good looking picture, Bradley. Right. He's looking very official there.
02:30
All right. Before we go into the summary, why don't we go ahead and do what I promised you? Which is we would
02:38
go ahead and decrypt these images some of pop over here to my mount image. Pro A. So you can see I'm using the about image Pro version 7.12 18 70 build here. And I'm just gonna momentarily switch some hard drives around
02:59
disk images available to me.
03:07
All right.
03:09
Yea, Sai buri disk.
03:12
You that kind of like it when that works?
03:16
All right, I'm in on this disc, we have the easier zehr one tag that we just made. I also have a pre made ah Mac book and and windows 10 encrypted images here. So we're gonna go ahead and use those because I have the keys. Andy,
03:30
Um,
03:30
so let's let's start with the Mac image. We come right up here to the corner, we say mount and we're going to mount an image file.
03:38
We're going to select the location for that. We're gonna use our cyber drive here,
03:45
and I'm going to take this Mac book
03:46
a f f four disc and say, Open it. You notice on the pull down here, it's got tons of different image types. It it automatically recognizes V H. D is just just every kind of crazy thing you could ever want to possibly mount here is all supported by this tool. Really nice. Um,
04:06
you know, and the default up here is a whole bunch of these common image types that you have to do, So
04:12
it's gonna immediately recognize your images from your discs.
04:15
I see Okay to that in a pause. A second. And it's gonna offer me to mount that as a disc Orica mounted as a file system, I'm gonna go ahead and say file system. Um, I could say, Mac,
04:30
my father system options there have options for including unallocated space, deleted files, all that sort of stuff. So I'm gonna go ahead and leave those loans, say Sure, why not? And then I'm going to say, OK,
04:44
it's gonna process here for a second, and then it's going to say, Hey, what is your credentials? Your password for this encrypted bill, Uh, pit like fall of all encrypted volume that were detected here. So I'm gonna go ahead and put my password in there, which is really cool,
05:02
and it's going to go ahead and continue to progress along here.
05:08
We have noticed it that oftentimes it will ask for the password multiple times. So not really a big problem.
05:16
Give it the password again.
05:18
Um, I'm assuming it has to do with the virtual ization of the A p FS file system. That's just a wild, wild guess on my part. But I like to think that I'm right. So we're gonna go with that
05:31
and it'll continue doing its its peace here mounting along,
05:36
um, one of the things that we have noticed they can cause your problem here If you're running a really aggressive anti virus or anti malware endpoint program on the computer that you're trying to mount these images with,
05:51
um,
05:53
we have found that it will significantly slow up the reading of the images, so you might want to, you know, temporally disable that or something as your as your loading up
06:01
one of these. These images for reviewers, A disk or something like that?
06:06
I don't If you noticed on the screen, there were loading. This actually loads it up in a read only format. So you're not gonna damage anything? Ah, on the file systems, You're perusing it. You know the amount image.
06:21
Give it another second here to finish out what it's doing,
06:28
all right.
06:30
And
06:31
you can see it mounted up. It created e drive for me. So if I go ahead and click on view,
06:41
I have
06:42
back
06:44
if a four here
06:46
partitions available pre brute recovery v EMS, all that did in the larger F one partition here. Roots. Who didn't expect that
06:57
with the hair. Riggio.
06:59
That's what I was looking for. Sorry, it took me a moment to get there, but, ah, cut the whole file system there. So we could we go into that, open that up, or I could pop over here to my Windows Explorer. And since it is mounted as a as an actual drive, I can click my way into that
07:16
going that entitled data their route.
07:20
And of course, I have my
07:21
whole Mac file system here. There's my ADF folder
07:27
bash, profiles, histories, files, folders, things like this. So again, Ah, love my
07:33
all the contents of my encrypted follow vault to drive now available to me so I could go ahead and, you know, run further processes on this, or I could, you know, extract files. Or I could use some other forensics tool on it. Things like that all available to me. Now.
07:50
My other option was I could have amounted. This is a diskette. Could have made a
07:54
another snapshot unencrypted version of this. Ah, of the data volume here really depends on what your next forensic step is. And last thing I'm gonna do is go ahead and amount. All so that was pretty darn simple. Not much to that. Um,
08:13
and boom. You know, immediately, an A P fs file system that was fully encrypted
08:18
is available to you for reviewer. Further processing
08:22
nice and easy. I'm running this from a Windows computer. Didn't have to do anything fancy to get to that. Um, you know, really, really straightforward. I guess I should have mentioned the price tag on this. A fully licensed version of Mount Image crow runs Ah, $299. So So, A very reasonably priced program to
08:41
All right, So our next item up is the bit locker to encrypted This I get told you a little bit of a work around here. So for some reason, right now, in this this version of Mount Image Pro 712 there seems to be a problem with the handling of the FF four file. We noticed up
09:01
it would start to read it,
09:03
work on it for a long period of time and then eventually break and failed to open it.
09:09
Eso, uh, our work around for this because it's a friends, a guy you gotta have lots of work arounds or ladies. I know a lot of fine forensic ladies out there to working hard at this. Um, so we do instead, is we're gonna go ahead and use the elementary bridge that we've used in previous courses.
09:28
Uh, go ahead and mount. Are
09:33
our disc here with our
09:39
our bit locker encrypted image in it. So, in this case, we have the Mac book image in there.
09:46
We've got theirs. Are Windows 10 image as the one that we want to get to.
09:54
And of course, it should pick up the
09:56
It's indexing everything.
10:01
Oh
10:05
Index index index index
10:09
Let her finish out. There's the easier one tag one that we made. So go ahead, amount up All that and what the bridge is gonna do. Of course we talked about before is make all those, uh, f of four images available as raw D D images. So what will be able to do is, say, Mt.
10:28
Mountain image file and in this case will go to the ever Petrie repository R D Dr will select our Windows 10 Bit Lockard image. And as you see here, they said, it's gonna take that ff four and it's gonna make it a raw D d image does. It says it's 476 gig now because it's a
10:48
good 500 Seagate disk
10:50
and we're gonna say open.
10:52
Ah, same thing here this time. We're gonna go ahead and mounted as a disc, though, because we want our Windows file system to go ahead and recognize this is a bit locker and volume
11:03
us. We'll see. OK,
11:07
get a little bit of
11:07
messing around there,
11:11
and he knows we have any notice here, says Unlocked Dr E. So I go to Dr E and it says, What is your bit locker? 48 bit digital recovery key. Oh, my goodness. So much key. Let me give you grab my key here, which, of course, I have locked up.
11:31
All right, so I have my key available here, and I can go ahead and type it in. So 517365886
11:46
All right, so I get all 48 digits in there. That was fun, right? And we go ahead and say unlock. And if everything went right by, ah, by E Dr Shows up as a completely unencrypted disk now, and, uh
12:01
and we're good to go. So that was Ah, Windows seven computer. It says, um, that we had previously acquired. So now all of my images and so air of my items are all available there and going to program falls or whatever I want. And everything is available to me in an unencrypted state
12:22
again, you know, it's a disk. So I could go ahead and require the data volume separately. I could process it from here. I could do whatever I wanted, depending on what my forensic requirements were for that

Up Next

Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro

In this course we will look at forensic collection of fully encrypted Windows and Mac computers with Evimetry.

Instructed By

Instructor Profile Image
Brian Dykstra
CEO and President of Atlantic Data Forensics
Instructor